Port Forwarding

Phoenician phoenician at phoenixcolony.com
Tue Jan 14 15:14:43 CST 2003 

hehe Hey Jeremy,

Have you thought about a new career as a technical English teacher that
specializes in
grammatically correct technical nomenclature?

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net]On Behalf Of Jeremy Fowler
Sent: Monday, January 13, 2003 6:37 PM
To: Jonathan Hutchins; kclug at kclug.org
Subject: RE: Port Forwarding

It's not that the answer isn't out there. It's all a matter of asking the
right
question. Because your question, "How to forward an internal webserver as if
it
were on a 2.4 Kernel firewall using iptables?" Doesn't really make a lot of
sense to me. So lets break it down:

"How to forward an internal webserver..."

Ok, you can't forward a webserver. You can forward packets to/from a
webserver -
but not a webserver.

"as if it"

It being what? The webserver?

Ok this next part make even less sense...

"were on a 2.4 Kernel firewall using iptables."

So what does a webserver have to do with the 2.4 Kernel firewall? How do you
put
a webserver on a 2.4 Kernel firewall with iptables? Umb, you can't...
Iptables
doesn't put webservers on 2.4 kernel firewalls... Just doesn't work that
way.

So do you see the problem here? The question wasn't very clear and that is
why
your having problems finding an answer.

So, I'm going to attempt to answer your question, but I'm going to do it in
the
way I assume your question is trying to ask. Which is: How do you forward
packets thru a netfilter firewall to an internal webserver? If so, why
didn't
you just say that?

<PS> I realize I'm being a dick here. I'm not in a very good mood for
whatever
reason and I thought I would blow some steam by answering your question like
an
asshole. I thought it would be funny and lift my spirits. Nothing personal,
it's
just your email caught my attention and now I'm picking on you. Besides,
everyone needs their balls busted every once in a while... ;-P </PS>

So I'm assuming from your cryptic question that you would like to forward
packets thru an iptables/netfilter firewall to a webserver that is inside
your
network. This is how you do it:

The feature you are looking for is called DNAT or Destination NAT. It's when
you
change the "destination" host of certain packets coming into the
firewall/router. DNAT is handled in the PREROUTING chain of the nat table in
netfilter. A sample rule looks like this:

#Public IP address of the firewall or Public IP of the HTTP server
$EXTERNAL_IP="10.0.0.1"

#Internal IP address of the HTTP Server
$HTTP_SERVER_IP="192.168.0.5"

iptables -t nat -A PREROUTING -i eth0 -p TCP -d $EXTERNAL_IP --dport 80 -j DNAT --to-destination 
$HTTP_SERVER_IP

So this rules says, any TCP packets with a destination port of 80 coming in
on
interface eth0 destined for external IP 10.0.0.1 is DNATed or forwarded to
the
HTTP server which has an IP address of 192.168.0.5. We limit the packets to
only
be TCP packets, we make sure the packet is coming in on the external
(public)
interface eth0, we make sure that the packet's destination IP is 10.0.0.1
(just
in case we alias more than one IP to an interface), and of course we make
sure
the protocol is HTTP so the destination port has to be 80. Now you very well
could have just used:

iptables -t nat -A PREROUTING --dport 80 -j NAT --to-destination
$HTTP_SERVER_IP

Which means any packet (UDP or TCP) with a destination port of 80 coming in
on
any interface no matter the IP it was destined for is forwarded to
192.168.0.5.
Which is a pretty broad rule and a bad idea. The first rule is better
because it
limits the packets being forwarded and gives you better control of the
forwarding.

I hope that helps. -Jer ;-)

> -----Original Message-----
> From: owner-kclug at marauder.illiana.net
> [mailto:owner-kclug at marauder.illiana.net]On Behalf Of Jonathan Hutchins
> Sent: Sunday, January 12, 2003 3:25 PM
> To: 'kclug at kclug.org'
> Subject: Port Forwarding
>
>
> Boy, it's amazing how many people have asked the same question: how to
> forward an internal webserver as if it were on a 2.4 Kernel firewall using
> iptables.  You'll get pages of hits on Google's usenet archives.
>
> Very few of the queries have answers.  Mostly the answers are "like, I'm
> still running Windows, but I think you need ipchains for that".
>
> I'm running a firewall script derived from David Ranch's Trinity OS
Project,
> and I've written him to see if he's willing to provide an example script.
> Who knows?  A question this big deserves an answer.
>
>

More information about the Kclug mailing list